diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2010-08-14 16:33:51 +0200 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2010-08-14 16:33:51 +0200 |
| commit | fb2c8d11ebe0d0ac66800897d7f5675be11d5df6 (patch) | |
| tree | 6914c9942e7aa47802997a6b72d3a7b9205f1cf9 /debian | |
| parent | 1c01cb7e55e8abf20c6578217a1618fa379f96ac (diff) | |
offer to add ldap to shadow in nsswitch.conf if a potential broken configuration is found
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1171 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/libnss-ldapd.postinst | 2 | ||||
| -rw-r--r-- | debian/libnss-ldapd.postrm | 1 | ||||
| -rw-r--r-- | debian/libpam-ldapd.lintian-overrides | 6 | ||||
| -rw-r--r-- | debian/libpam-ldapd.postinst | 42 | ||||
| -rw-r--r-- | debian/libpam-ldapd.templates | 15 |
5 files changed, 66 insertions, 0 deletions
diff --git a/debian/libnss-ldapd.postinst b/debian/libnss-ldapd.postinst index 34c55be..6124dd6 100644 --- a/debian/libnss-ldapd.postinst +++ b/debian/libnss-ldapd.postinst @@ -7,6 +7,7 @@ set -e # check to see if name is configured to do lookups through # LDAP and enable if not +# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst nss_enable() { name="$1" @@ -27,6 +28,7 @@ nss_enable() } # remove NSS lookups though LDAP for the specified service +# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm nss_disable() { name="$1" diff --git a/debian/libnss-ldapd.postrm b/debian/libnss-ldapd.postrm index b21df19..a4a95f2 100644 --- a/debian/libnss-ldapd.postrm +++ b/debian/libnss-ldapd.postrm @@ -3,6 +3,7 @@ set -e # remove NSS lookups though LDAP for the specified service +# Note: this function is in both libnss-ldapd.postinst and libnss-ldapd.postrm nss_disable() { name="$1" diff --git a/debian/libpam-ldapd.lintian-overrides b/debian/libpam-ldapd.lintian-overrides new file mode 100644 index 0000000..1f54a33 --- /dev/null +++ b/debian/libpam-ldapd.lintian-overrides @@ -0,0 +1,6 @@ +# we prompt in postinst instead of config because we can only +# reliably detect the actual configuration in postinst and are +# only doing this if we detect that there is something wrong +# with the actual config +libpam-ldapd: no-debconf-config +libpam-ldapd: postinst-uses-db-input diff --git a/debian/libpam-ldapd.postinst b/debian/libpam-ldapd.postinst index 20c9b76..026c2e9 100644 --- a/debian/libpam-ldapd.postinst +++ b/debian/libpam-ldapd.postinst @@ -2,6 +2,48 @@ set -e +# source debconf library. +. /usr/share/debconf/confmodule +db_version 2.0 + #DEBHELPER# pam-auth-update --package + +# check to see if name is configured to do lookups through +# LDAP and enable if not +# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst +nss_enable() +{ + name="$1" + if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf + then + echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2 + if grep -q '^'$name':' /etc/nsswitch.conf + then + # modify an existing entry by just adding ldap to the end + sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf + else + # append a new line + printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf + fi + fi + # we're done + return 0 +} + +# if /etc/nsswitch.conf contains passwd: ..ldap but not shadow: ...ldap +# warn the user that this will not work and offer to fix it +if grep -q '^passwd:.*ldap' /etc/nsswitch.conf && \ + ! grep -q '^shadow:.*ldap' /etc/nsswitch.conf +then + if db_input critical libpam-ldapd/enable_shadow + then + db_go + db_get libpam-ldapd/enable_shadow + if [ "$RET" = "true" ] + then + nss_enable shadow + fi + fi +fi diff --git a/debian/libpam-ldapd.templates b/debian/libpam-ldapd.templates new file mode 100644 index 0000000..1abfac5 --- /dev/null +++ b/debian/libpam-ldapd.templates @@ -0,0 +1,15 @@ +Template: libpam-ldapd/enable_shadow +Type: boolean +Default: true +_Description: Enable shadow lookups through NSS? + For the proper operation of the PAM stack the NSS module should return + shadow information for LDAP users, otherwise these users will not be able + to log in. Note that the shadow entries themselves may be empty (i.e. it + is not needed to expose password hashes). + . + More background information on this requirement can be found here: + http://bugs.debian.org/583492 + . + You can edit /etc/nsswitch.conf by hand or choose to add the entry + automatically now. Be sure to review the changes to /etc/nsswitch.conf if + you choose to add the entry now. |